Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx: wrap server in http context #277

Merged
merged 1 commit into from
Dec 6, 2024
Merged

nginx: wrap server in http context #277

merged 1 commit into from
Dec 6, 2024

Conversation

gstrauss
Copy link
Collaborator

nginx: wrap server in http context

share most of the ssl config in the http context

@gstrauss
Copy link
Collaborator Author

Please note: it is easier to review this change if you Hide Whitespace changes.

@gstrauss gstrauss mentioned this pull request Nov 25, 2024
Closed
@gstrauss
Copy link
Collaborator Author

gstrauss commented Nov 25, 2024
edited
Loading

The Intermediate config with this PR looks like:

# generated 2024-11-25, Mozilla Guideline v5.7, nginx 1.26.0, OpenSSL 1.1.1w, intermediate configuration
# http://localhost:5500/#server=nginx&version=1.26.0&config=intermediate&openssl=1.1.1w&guideline=5.7

http {

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;

        ssl_certificate /path/to/signed_cert_plus_intermediates;
        ssl_certificate_key /path/to/private_key;
    }

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions

    # curl http://localhost:5500/ffdhe2048.txt > /path/to/dhparam
    ssl_dhparam /path/to/dhparam;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    # replace with the IP address of your resolver
    resolver 127.0.0.1;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    server {
        listen 80 default_server;
        listen [::]:80 default_server;

        add_header Strict-Transport-Security "";
        return 301 https://$host$request_uri;
    }

}

@gstrauss
Copy link
Collaborator Author

gstrauss commented Nov 25, 2024
edited
Loading

This PR adds http context around virtual server contexts.

Out-of-scope for this PR is #124 for TLSv1.3 ciphersuites and #270 ssl_ecdh_curve. Please follow discussions there for those items.

@gstrauss gstrauss mentioned this pull request Nov 25, 2024
Closed
@gstrauss
nginx: wrap server in http context
edc84bc 
share most of the ssl config in the http context

x-ref:
  "Move nginx ssl_protocols directive outside of server context into new parent http context"
  mozilla#141

github: closes mozilla#141
@gstrauss gstrauss merged commit c68fd7a into mozilla:master Dec 6, 2024
3 checks passed
@gstrauss gstrauss deleted the nginx-http-context branch December 7, 2024 01:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gstrauss